I had problem recently where I encountered a prompt for Bitlocker keys missing but I never installed it.  Bitlocker allows encryption on your hard drive so no one can access the data.  Encryption on Mac hard drives are enabled by default.  Microsoft license agreement with PC manufacturers is that systems must ship with BitLocker DISABLED.  Microsoft ultimate plan is to enable it and have a encryption key.

How does Microsoft enable Bitlocker encryption when it is disable by default?

The new computer setup asks if you want to setup a Microsoft account.  Most people choose yes by default.  This enables features line OneDrive, find my PC, and other online features.  They neglect to mention that they enable Bitlocker.

Great, where do I find my missing Bitlocker keys?

It depends.  I know a business account that the individual manages can be found in Windows settings.

You are then redirected to a website… https://myaccount.microsoft.com/device-list

What if I manage Bitlocker through Intune?

The BitLocker is configurable through two different locations.

 

1. Endpoint Management > Devices > Platform Types (This will enforce a policy based on OS Platform and applicable if a device meet the compliance policy)
2. Endpoint Management > Endpoint Security > Disk Encryption (This will enforce BitLocker without a compliance policy)

I think we should configure the BitLocker via the 2^nd option instead of the 1^st one. The current documentation is for the 1^st option. In most cases, it fails to apply. We will discuss this in our Intune call. I have this in my notes.

What if I don’t have a Business account?

Check out this video

 

Bitlocker keys missing but I never installed IT support Summary

Bitlocker is a safe way of encrypting your data if the laptop falls into the wrong hands.  However, there are some definite quirks to be aware of for when it is or is not being deployed.  For instance, say you have a replacement motherboard for your computer.  You will need to make sure TPM security is turned off before removing the board.

 

Updating TPM Bitlocker after a BIOS update or a Motherboard Replacement

1. Re-enable and activate the TPM in the BIOS.
2. Boot the computer and enter in the recovery key.  If you do not have it and it is on the AD Domain, you can get it from the recovery console or AD (with the bitlocker snap-in)
3. Log in with an administrator account.
4. Under Control Panel, open Bitlocker Applet
5. Click on Manage Bitlocker
6. Select the option to suspend bitlocker, and then restart the computer. (You should no longer need to enter the recovery key)
7. Log in with an administrator account
8. Under Control Panel, open Bitlocker Applet
9. Click on Manage Bitlocker
10. Select Re-enable Bitlocker (this will cause the key to write to the TPM chip)